b"           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n RISKS POSED BY DIGITAL PHOTOCOPIERS\n        USED IN SOCIAL SECURITY\n        ADMINISTRATION OFFICES\n\n   September 2008      A-06-08-28076\n\n\n\n\nAUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                             SOCIAL SECURITY\nMEMORANDUM\n\nDate:      September 18, 2008                                               Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   Risks Posed by Digital Photocopiers Used in Social Security Administration Offices\n           (A-06-08-28076)\n\n\n           OBJECTIVES\n           Our objectives were to (1) determine whether the Social Security Administration (SSA)\n           used digital photocopiers with memories capable of retaining sensitive information and\n           (2) identify and review actions SSA had taken to mitigate the risks posed by the\n           potential exposure of this sensitive information.\n\n           BACKGROUND\n           The Privacy Act of 1974 1 provides the framework for regulating the collection,\n           maintenance, use, and dissemination of personal information by Federal executive\n           branch agencies. In particular, the Privacy Act requires that each Agency\n\n                     . . . establish appropriate administrative, technical and physical safeguards to\n                     insure the security and confidentiality of records and to protect against any\n                     anticipated threats or hazards to their security or integrity which could result in\n                     substantial harm, embarrassment, inconvenience or unfairness to any\n                     individual on whom information is maintained. 2\n\n           The loss of personally identifiable information (PII) can result in harm, embarrassment,\n           and inconvenience to individuals and may lead to identity theft or other fraudulent use of\n           the information. Accordingly, SSA has responsibility under the law to appropriately\n           safeguard sensitive PII, including PII on the hard drives of digital photocopiers. Most\n           digital photocopiers manufactured in the past 5 years have hard drives. Digital\n           photocopier hard drives retain previously copied or printed data. According to SSA\n           staff, when the photocopier hard drive security issue first surfaced, the copier industry\n           did not generally recognize the potential security risks associated with the memory\n           retention capability of photocopier hard drives. SSA followed the industry\xe2\x80\x99s lead on this\n\n           1\n               The Privacy Act of 1974, as amended, Pub. L. No. 93-579, 5 United States Code (U.S.C.) \xc2\xa7 552a.\n           2\n               5 U.S.C. \xc2\xa7 552a(e)10.\n\x0cPage 2 - The Commissioner\n\nissue. Now, photocopiers have emerged as intelligent system peripherals with\noperating systems, hard drives, resident software programs and network server\napplications. Left unprotected or unaccounted for, digital technology can increase the\npotential for identity theft.\n\nThe Office of Acquisition and Grants (OAG) delegated sole acquisition authority to the\nOffice of Publications and Logistics Management, Reprographic Management Team\n(RMT) to procure and manage reprographic equipment (photocopiers), services, and\nsupplies for all SSA Regional and Headquarters offices nationwide. With OAG\napproval, RMT established 12 active Blanket Purchase Agreements (BPA) covering\nreprographic equipment purchase, supplies, and maintenance services. As of\nDecember 2007, RMT records indicated SSA had 4,663 photocopiers in use. The\ninventory included 97 different photocopier models manufactured by 7 vendors.\n\nRESULTS OF REVIEW\nAs of December 2007, 2,173 of the 4,663 photocopiers SSA had in-use nationwide\ncontained hard drives capable of retaining sensitive information. We found that SSA did\nnot effectively mitigate the risks posed by the potential exposure of sensitive\ninformation. 3 During our review, we found SSA did not\n\n\xe2\x80\xa2     sanitize or destroy photocopier hard drives upon disposal, as required, and\n\n\xe2\x80\xa2     include a non-disclosure statement in its agreement with vendors that precludes the\n      disclosure of sensitive information when photocopiers are taken off-site for repair.\n\nAdditionally, SSA\xe2\x80\x99s inventory tracking system did not adequately (1) distinguish between\nstand-alone photocopiers with no hard drives and photocopiers with hard drives or\n(2) account for purchases in a timely manner.\n\nSSA DID NOT SANITIZE PHOTOCOPIER HARD DRIVES BEFORE DISPOSITION\n\nSSA did not comply with policy for sanitizing or destroying data stored on hard drives\nupon disposal. For example, when SSA replaces a photocopier, a vendor delivers the\nnew photocopier and picks up the old photocopier at its respective location. SSA does\nnot sanitize or destroy information on the old photocopier\xe2\x80\x99s hard drive before releasing it\nto the vendor. As depicted in the table below, in Calendar Years 2006 and 2007, SSA\ntraded in 1,957 photocopiers on the purchase of new photocopiers. We found 454 of\nthe 1,957 photocopiers had hard drives.\n\n\n\n\n3\n    We are not aware of any reported cases of PII breach involving digital photocopiers.\n\x0cPage 3 - The Commissioner\n\n                                     RMT Copier Trade-Ins\n                                   (Calendar Years 2006-2007)\n                               With Hard Drives     454   23.2%\n                                         Other    1,503   76.8%\n                                          Total   1,957 100.0%\n\nSSA did not have procedures in place to ensure that photocopier hard drives were\nsanitized or destroyed. We were told the responsibility for sanitizing or destroying\nphotocopier hard drives had not been assigned within SSA or contracted to an outside\nentity.\n\nSSA\xe2\x80\x99s Information Systems Security Handbook (ISSH) requires that hard drives be\nsanitized before they are released to a vendor to prevent unauthorized disclosure of\ninformation. 4 However, at the time of our review, SSA had not implemented procedures\nto ensure photocopier hard drives were sanitized or destroyed. While there have been\nno known unauthorized security breaches, there is a risk of exposing sensitive\ninformation to unauthorized individuals.\n\nNON-DISCLOSURE STATEMENT MISSING FROM SERVICE AGREEMENT\n\nSSA did not comply with its own policy to mitigate the risks posed by the potential\nexposure of sensitive information in the event a photocopier is sent off-site for repair.\nSSA\xe2\x80\x99s BPA does not include required wording for non-disclosure of information by the\nservicing vendor when a photocopier with a hard drive is repaired off-site. The typical\nwording related to off-site repairs observed on the BPAs states only the following.\n\n          The Contractor may perform repair work at the Government site, or at the\n          Contractor's local service branch. If the Contractor removes the equipment for\n          repair, the Contractor shall provide a comparable loaner machine to the\n          Government for temporary use at the time the Contractor removes the\n          equipment for repair.\n\nSSA\xe2\x80\x99s BPAs should be updated to reflect SSA's policy on the disposal of information\ntechnology media, which went into effect in 2006. The policy states, when a personal\ncomputer, hard drive, or other storage device is sent off-site for repair, the repair\ncontract must include a requirement for non-disclosure of information by the servicing\nvendor. 5 According to RMT staff, the current SSA policy in the ISSH regarding disposal\nof technology media applies to photocopiers as well.\n\nThe approved dates of the BPAs reviewed ranged from September 17, 2001 to\nDecember 22, 2005, a time period that preceded this 2006 policy. When the disposal of\n\n4\n Information Systems Security Handbook 10.3.1, Disposal/Donation of Information Technology\nEquipment, June 2006. Although the policy does not specify photocopiers, SSA officials advised us the\npolicy applies to photocopier hard drives.\n5\n    Id.\n\x0cPage 4 - The Commissioner\n\ntechnology media policy was issued in 2006, RMT continued to order reprographic\nequipment from existing BPAs established by OAG before the 2006 security policy\nchange.\n\nOn June 18, 2008, we were advised that SSA was negotiating with all current BPA\nholders to include language that hard drive sanitation must be completed in instances\nwhere photocopiers are (1) sent off-site for repair or when hard drives need to be\nreplaced, (2) relocated to different work sites, and (3) traded in for new photocopiers. In\naddition, we were advised that RMT requested BPA modifications that will require\nvendors to complete and submit a hard drive certification form that they have wiped or\ndestroyed the hard drive. Certain vendors can certify the presence of an automatic\noverwrite feature for certain models that automatically wipes the information from the\nhard drive. Completion of the form is required for each copier before the removal of\nSSA\xe2\x80\x99s copiers from Regional or Headquarters offices for any reason (repair, relocation\nor replacement). RMT will retain a copy of each hard drive certification form while the\ncopier remains in service at SSA.\n\nSSA\xe2\x80\x99S PHOTOCOPIER INVENTORY TRACKING SYSTEM\n\nRMT staff track photocopier inventory on Microsoft Excel spreadsheets. During our\nreview, we determined SSA\xe2\x80\x99s photocopier inventory tracking system did not adequately\n\n\xe2\x80\xa2   identify whether photocopiers contained hard drives, and\n\xe2\x80\xa2   track photocopier purchases in a timely manner.\n\nHard Drives in Photocopiers Not Properly Identified\n\nSSA\xe2\x80\x99s system for tracking photocopiers with hard drives requires improvement. Instead\nof relying on photocopier purchase documents, which record whether each photocopier\ncontained a hard drive, SSA relied on vendors to determine whether the photocopier\nhad a hard drive. Since hard drives were optional on some photocopier models, the\nreliance on vendors for hard drive information was not always accurate. To illustrate,\nusing RMT\xe2\x80\x99s December 2007 inventory data, we identified three photocopier models\nwhere the inventory showed the photocopiers did not contain hard drives. Through\nreview of acquisition documentation, we determined hard drives were included on\n269 of these photocopiers. Based on our review, RMT updated its inventory data to\nindicate these 269 photocopiers contained hard drives. 6\n\n\n\n\n6\n RMT updated its inventory to include one additional photocopier originally purchased without a hard\ndrive but later upgraded with a hard drive.\n\x0cPage 5 - The Commissioner\n\n                          RMT Photocopier Inventory Data\n                                 (December 2007)\n                     Pre-Audit                    Post-Audit\n                  Type       # of Units       Type        # of Units\n            With Hard Drives   1,903    With Hard Drives     2,173\n                       Other   2,760               Other     2,490\n                       Total   4,663               Total     4,663\n\nWe believe the system used to track photocopiers should be automated and accurately\nidentify the machines that contain hard drives. To automate its photocopier inventory\nmanagement and billing process, SSA entered into a contract in September 2007 for an\nautomated inventory system. SSA previously attempted to automate the inventory\nprocess. In September 2002, SSA awarded a contract to redesign the RMT\nphotocopier inventory and vendor billing reconciliation processing system, which was\nnamed the Reprographic Inventory Management System. In 2003, modifications were\nissued to the contract, but the contract period expired before the work was completed.\n\nBased on the statement of work under the 2007 contract award, the contractor will\nmigrate the current inventory into an upgraded version of the Office of Property\nManagement\xe2\x80\x99s Sunflower Assets system.\n\nPurchases Not Added to Inventory Timely\n\nSSA did not record photocopier purchases in a timely manner. According to SSA,\nemployees track photocopier inventory on Microsoft Excel spreadsheets. However,\nSSA did not add new inventory to the spreadsheets until the end of each photocopier\xe2\x80\x99s\n90-day warranty period. We were told newly purchased photocopiers were not added to\nthe inventory because RMT did not always know the serial number. By the end of the\nwarranty period, the serial number had been received from the vendor. By not tracking\npurchases until the end of the 90-day warranty, there is a 3-month time period where\nthe accounting of photocopiers is incomplete because newly purchased photocopiers\nare not included on the inventory.\n\nCONCLUSIONS AND RECOMMENDATIONS\nSSA uses more than 2,100 digital photocopiers with memories capable of retaining\nsensitive information and can take steps to mitigate the information security risks posed\nby digital photocopiers. We determined that SSA had a documented policy to sanitize\nor destroy information contained on hard drives; however, SSA had not applied the\npolicy to digital photocopiers. For example, SSA traded-in old photocopiers to vendors\nwithout SSA sanitizing or destroying information on their hard drives. Also, agreements\nbetween SSA and vendors did not include the required non-disclosure language. We\nalso found SSA\xe2\x80\x99s inventory did not always accurately identify photocopiers with hard\n\x0cPage 6 - The Commissioner\n\ndrives or account for photocopiers within a reasonable period. To ensure that SSA fully\ncomplies with Federal law and Agency policy, as well as ensure that SSA adequately\naccounts for its photocopier inventory, we recommend SSA:\n\n1. Establish procedures for sanitizing or destroying photocopier hard drives.\n\n2. Amend the maintenance provision in current BPAs and in future agreements to\n   include the required non-disclosure statement by the servicing vendor when the\n   photocopier is sent off-site for repair.\n\n3. Implement an automated photocopier inventory system that includes the capability of\n   tracking the existence of hard drives.\n\n4. Record all digital photocopier purchases to the automated tracking system within a\n   reasonable time after the equipment is received and installed.\n\nAGENCY COMMENTS\nSSA agreed with our recommendations. The full text of the Agency\xe2\x80\x99s comments is\nincluded in Appendix C.\n\n\n\n\n                                               Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Agency Comments\n\nAPPENDIX D \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                      Appendix A\n\nAcronyms\n\nBPA           Blanket Purchase Agreement\nISSH          Information Systems Security Handbook\nOAG           Office of Acquisition and Grants\nPII           Personally Identifiable Information\nPub. L. No.   Public Law Number\nRMT           Reprographic Management Team\nSSA           Social Security Administration\nU.S.C.        United States Code\n\x0c                                                                       Appendix B\n\nScope and Methodology\nTo accomplish our objectives, we\n\n\xe2\x80\xa2   Reviewed the applicable sections of the Privacy Act of 1974, Federal Information\n    Security Management Act of 2002, Federal Acquisition Regulations, Social Security\n    Administration\xe2\x80\x99s (SSA) Program Operations Manual System, Administrative\n    Instructions Manual System and Information Systems Security Handbook.\n\n\xe2\x80\xa2   Considered the security implications of Office of Management and Budget\n    Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable\n    Information, July 12, 2006.\n\n\xe2\x80\xa2   Interviewed SSA employees from the Center for Office Property, Office of\n    Acquisition and Grants, and Office of Information Technology Security Policy.\n\n\xe2\x80\xa2   Obtained a database of photocopiers in use nationwide. We performed limited\n    testing on the data and found them to be sufficiently reliable to meet our audit\n    objectives.\n\n\xe2\x80\xa2   Selected and reviewed six photocopier models with hard drives on SSA\xe2\x80\x99s database.\n    These 6 models totaled 1,626 (75 percent) of the 2,173 inventoried photocopiers\n    with hard drives.\n\n\xe2\x80\xa2   Obtained a database of photocopiers traded in for new photocopiers in\n    Calendar Years 2006 and 2007.\n\nWe performed audit work between December 2007 and May 2008 in Baltimore,\nMaryland, and Dallas, Texas. The entity audited was SSA\xe2\x80\x99s Office of Publications and\nLogistics Management under the Deputy Commissioner for Budget, Finance and\nManagement. We conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable\nbasis for our findings and conclusions based on our audit objectives. We believe the\nevidence obtained provides a reasonable basis for our findings and conclusions based\non our audit objectives.\n\x0c                  Appendix C\n\nAgency Comments\n\x0c                                        SOCIAL SECURITY\n\n\nMEMORANDUM\n\n\nDate:     September 3, 2008                                                     Refer To:   S1J-3\n\nTo:       Patrick P. O'Carroll, Jr.\n          Inspector General\n\nFrom:     David V. Foster /s/ J. Winn for DVF\n          Executive Counselor to the Commissioner\n\nSubject   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cRisks Posed by Digital Photocopiers Used\n:         in Social Security Administration Offices\xe2\x80\x9d (A-06-08-28076)--INFORMATION\n\n\n          We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Attached is our response to the\n          recommendations.\n\n          Please let me know if we can be of further assistance. Please direct staff inquiries to\n          Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at (410) 965-4636.\n\n\n          Attachment\n\n\n\n\n                                                       C-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, \xe2\x80\x9cRISKS POSED BY DIGITAL PHOTOCOPIERS USED IN SOCIAL\nSECURITY ADMINISTRATION OFFICES\xe2\x80\x9d (A-06-08-28076)\n\nThank you for the opportunity to review and provide comments on this draft report.\n\nRecommendation 1\n\nEstablish procedures for sanitizing or destroying photocopier hard drives.\n\nComment\n\nWe agree. In November 2007, we began efforts to incorporate a hard drive sanitization policy\ninto all photocopier purchase and maintenance Blanket Purchase Agreements (BPA). We\nincluded statements in the BPAs addressing sanitizing hard drives for all trade-ins. In July 2008,\nwe began processing procurements with the hard drive sanitization requirements. We require\neach vendor to complete a hard drive certification form and instruction sheet certifying that each\nphotocopier with a hard drive has automatic hard drive overwrite capability or that the contractor\nhas erased/destroyed all data on the hard drive for each photocopier model.\n\nBy December 30, 2008, we will amend the Administrative Instructions Manual System (AIMS)\nguidelines and post updated policies to our website at http://ssahost.ba.ssa.gov/oplm/default.cfm.\n\nRecommendation 2\n\nAmend the maintenance provision in current BPAs and in future agreements to include the\nrequired non-disclosure statement by the servicing vendor when the photocopier is sent off-site\nfor repair.\n\nComment\n\nWe agree. We amended all current maintenance BPAs to include a requirement specifying that\nthe contractor must overwrite (wipe) or destroy all data on the hard drive and certify this\ninformation on a hard drive certification form each time a photocopier is removed from our\npremises for any reason. In June 2008, the vendors signed the BPA modifications. We also\nadded this new requirement for all future Statements of Work requesting vendor bids.\n\nThe hard drive security provisions will be included in all future maintenance agreements. By\nDecember 30, 2008, we will amend the AIMS guidelines and post the updated policies to our\nwebsite at http://ssahost.ba.ssa.gov/oplm/default.cfm.\n\n\n\n\n                                              C-2\n\x0cRecommendation 3\n\nImplement an automated photocopier inventory system that includes the capability of tracking\nthe existence of hard drives.\n\nComment\n\nWe agree. In September 2007, we awarded a contract to Annams, Inc., to create an automated\ninventory management system to track photocopiers. The new system will be a module of our\nexisting Sunflower Assets system. In June 2008, Annams completed a prototype demonstration.\nOn August 19, 2008, we delivered to Annams all photocopier data for migration into the new\ninventory management system. The data files for migration will include hard drive information\nfor each photocopier. September 30, 2008, is our target date for completing the new automated\nsystem. However, all photocopiers are now manufactured to include hard drives and while we\nagree with the recommendation for existing copiers, we believe it will be unnecessary to\nspecifically track the existence of hard drives of copiers purchased in the future.\n\nRecommendation 4\n\nRecord all digital photocopier purchases to the automated tracking system within a reasonable\ntime after the equipment is received and installed.\n\nComment\n\nWe agree. We have already incorporated language in current BPAs addressing the reporting\nrequirement for contractors providing photocopiers to us. This procedure includes our newly\ncreated Proof of Install (POI) form for all new photocopier installations. The vendor must\ncomplete the form and obtain our signature at the installation site. The vendor must submit the\nform to us by the 15th of the month following installation. The POI form will be included in all\nfuture copier agreements as a requirement under delivery and installation procedures. As cited\nabove, our photocopier inventory system scheduled to be operational in September 2008 will\nallow us to upload delivery and installation data to the automated system in a timely manner.\n\n\n\n\n                                              C-3\n\x0c                                                                       Appendix D\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n   Ron Gunia, Director, (214) 767-6620\n\n   Jason Arrington, Audit Manager, (214) 767-1321\n\nAcknowledgments\nIn addition to those named above:\n\n   Lela Cartwright, Senior Auditor\n\nFor additional copies of this report, please visit our web site at www.ssa.gov/oig or\ncontact the Office of the Inspector General\xe2\x80\x99s Public Affairs Staff Assistant at\n(410) 965-4518. Refer to Common Identification Number A-06-08-28076.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c"